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DETAILED ACTION 
Response to Arguments 

Applicant's arguments with respect to claims 1-21 have been considered but are 
moot in view of the new ground(s) of rejection. 

Specification 

The specification is objected to as failing to provide proper antecedent basis for 
the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01 (o). Correction 
of the following is required: a device read call as in claim 7. 

Claim Rejections - 35 USC §112 

The following is a quotation of the first paragraph of 35 U.S.C, 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

Claims 12, 18 and 19 are rejected under 35 U.S.C. 112, first paragraph, as 
failing to comply with the written description requirement. The claim(s) contains 
subject matter which was not described in the specification in such a way as to 
reasonably convey to one skilled in the relevant art that the inventor(s), at the 
time the application was filed, had possession of the claimed invention. 
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As in claim 1 2, the claimed maintaining root and current directions while threads are in 
the middle of system call processing was not described in the specification. 

As in claim 1 8, the claimed selecting step can be based on the outcome of system calls 
including pass, failure or both was not described in the specification. 

As in claimed 19, the claimed presenting deposited data to a user space via a device driver 
in the kernel was not described in the specification. 

Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 1,17 and 18 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. 

Claim 1 recites the limitation the system call path in the step of triggering data 
delivery. There is insufficient antecedent basis for this limitation in the claim. 

Claim 17 recites the limitation the tokens. There is insufficient antecedent basis for 
this limitation in the claim. 
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Claim 18 recites the limitation the outcome of system calls. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Clainfis 1-21 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Crosbie et al. [US 2002/0083343 A1]. 

The applied reference has a common assignee with the instant application. 
Based upon the earlier effective U.S. filing date of the reference, it constitutes 
prior art under 35 U.S.C. 102(e). This rejection under 35 U.S.C. 102(e) might be 
overcome either by a showing under 37 CFR 1.132 that any invention disclosed 
but not claimed in the reference was derived from the inventor of this application 
and is thus not the invention "by another," or by an appropriate showing under 
37 CFR 1.131. 
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Regarding claim 1 , Crosbie teaches a method of generating kernel audit data 
comprising: 

storing system call parameters or data the parameters point to at the beginning of a system call 
(paragraph [0205], a user process makes a library call, the call is translated into a 
system call, if the system call is being audited, header related information: user id, 
group id, timestamps, process id, etc. as system call parameters is gathered and stored in 
temporary buffers); and 

triggering data delivery at the end of the system call path (paragraph [0205], once the 
system call completes as the end of the system call path, the return value and error value 
are recorded) and 

generating an audit record and depositing the audit record in a circular buffer (paragraph 
[0205], the entire record is placed in a circular buffer in the kernel audit driver). 

Regarding claim 2, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses each system call that 
accesses filesy storing related file information (paragraph [0205]). 

Regarding claim 3, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 2, Crosbie further discloses related file information 

includes file owner or group and the file information is stored before any modifications occur that 
might affect the file information (paragraph [0205]). 
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Regarding claim 4, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses system call parameters 
that include path name parameters are stored with full path name information (paragraphs [0237- 
0239]). 

Regarding claim 5, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses the audit record is a 
tokenized audit record (paragraph [0138]). 

Regarding claim 6, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses the step of reading 
audit records from the circular buffer (paragraph [0205]). 

Regarding claim 7, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 6, Crosbie further discloses the reading is triggered 
using a device read call (paragraph [0205]). 

Regarding claim 8, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses the step of 
maintaining system wide configuration related data structures (FIG. 3) and setting selection masks 
based on such structures (paragraph [0761]). 
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Regarding claim 9, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses the step of collecting 
data in the system call path and formatting the collected data into an audit record (paragraph 
[0105]). 

Regarding claim 1 0, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 9, Crosbie further discloses the collected data is a 
token stream (paragraph [0105]), 

Regarding claim 1 1 , Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses if the circular buffer is 
fully then either reading some of the audit records from the circular buffer or dropping (paragraph 
[0175]). 

Regarding claim 12, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 4, Crosbie further discloses the step of 

maintaining root and current directions while threads are in the middle of system, call processing 

(paragraph [0239]). 

Regarding claim 13, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 9. Crosbie further discloses the step oi selecting 
which data to collect before said collecting step (paragraph [0205]). 
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Regarding claim 14, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 13, Crosbie further discloses selecting step can be 
based on process, user, group, filename information and/or time intervals (paragraph [0205]). 

Regarding claim 15, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses the step of detecting 
hard link accesses to a critical ftie (paragraph [061 6]). 

Regarding claim 16, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 15, Crosbie further discloses the step of 
maintaining a critical file list for monitoring hard links (paragraphs [0451 -0461 ]). 

Regarding claim 17, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 5, Crosbie further discloses the tokens are either 
primitive or composed (paragraph [01 38]), 

Regarding claim 18, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 13, Crosbie further discloses selecting step can be 
based on the outcome of system calls including pass, failure or both [paragraph [0205]). 
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Regarding claim 19, Crosbie teaches all of the claimed subject matter as 
discussed above with respect to claim 1 , Crosbie further discloses the step of presenting 
deposited data to a user space via a device driver in the kernel (paragraph [0205]). 

Regarding claim 20, Crosbie teaches all the claim subject matters as discussed 
above with respect to claim 13, Crosbie further discloses the step of configuring which 

system calls are audited by making ioctlQ (control) calls on a device driver (paragraph [0171]). 

Regarding claim 21 , Crosbie teaches all the claim subject matters as discussed 
above with respect to claim 1 , Crosbie further discloses the step of enabling the generation 
of audit data when a device driver is opened for read, and halting data generation when the device 
driver is closed {paragraph [0205]). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to HAROLD E DODDS whose telephone number is 571- 

272- 4110. The examiner can normally be reached on Monday-Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, JOHN E. BREENE can be reached on 571-272-4107. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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